Reducing E-Waste: Reverse engineering the Lenovo EMC PX4-300D NAS firmware and kernel drivers

The Lenovo EMC PX4-300D is a small, but powerful NAS system.
It features the following specs:

Matched with four 2TB disks, its got enough performance and space for my backup needs. However, there is one big problem. The NAS was initially released in January 2012 and has not seen any os updates since a long time. Currently the NAS runs a customized, Linux 3.x Kernel. A secure operation of the device is therefore not possible anymore. To fix this i began to try installing a newer linux operating system. Fortunately, the NAS is based on an x86 architecture as well as 64bit compatible so this should not be very hard.

After dismantling the device, i noticed a few things:

• The mainboard of the device exposes a standard serial interface with a four pin header
• The front IO USB3.0 is connected through a usb extension cable, directly to a USB A female connector on the board
• The Mainboard also features a PCIe slot for expansion (e.g. network interfaces or SCSI cards)

To get an idea on which pins of the serial interface are VCC, GND, TX, RX I pulled out my mulitmeter and started measuring. The following table illustrates the pin layout. The pin numbers are numbered from left to right matching the direction of the "SERIAL_B" description label on the board. (Pin #1 above "S"). You can refer to the cable colors if you are using a PL2303TA USB to TTL cable like mine: Amazon affiliate link

To connect to the serial interface I used PuTTY: a free SSH and Telnet client (greenend.org.uk), a baud rate of 115200, 8 parity bits, 1 stop bit and no parity or flow control. Once the connection was open using PuTTY, I powered on the device. Soon, I was able to see the bios post messages appearing on the terminal, prompting to press F11 for a boot device selection menu, or DEL to enter the bios setup. The interface was similar to other bios setup menus, and allowed me to change the boot order as well as many other settings of the device. Great.

Once the USB stick was ready, I plugged it into one of the two ports on the back of the device, powered it on and selected the USB stick using the boot device selection menu. It took a while to boot as the flashdrive is not as fast as a ssd drive, but after a few minutes I was greeted with a login prompt of the Debian OS installed on the flashdrive. Now it was time to investigate further into the hardware of the device. It turned out, that there was another flashdrive, probably directly soldered onto the motherboard, containing the operating system of the NAS. To make sure i can always restore the device to its original glory, I created a 1:1 copy of its' contents using the dd command. Funfact: I was able to get the image to boot in a virtual machine on my proxmox server, just for fun as it does not have any real world use case. Further than that, investigating using the live os had no more information to offer. Therefore I rebooted the device and tried investigating using the original firmware, which fortunately allowed me to login as the root user using the diagnostic features (the link is specific to the small sibling of the px4-300d, but applies to it as well.

Digging deeper, I found that the display was a UMS8485MD, monochrome 128x64 pixels display, controlled via a lcm device at /dev/lcm. Moreover, the two buttons at the front, right to the display, were exposed using a standard input device at /dev/input/by-path/platform-asus_laptop-event allowing me to react to the button presses via scripts and programs. Furthermore, the front leds indicating warning and errors, are controllable using the ich_gpio interface of the Intel Atom processor.

Now i had almost everything i needed to create a custom, fully functional firmware using a recent linux kernel version as well as a recent Debian operating system.

I now knew which devices were available and which ones need special drivers. By searching the internet, GitHub and many other places, I finally stumbled across a github repository by d235j (David Ryskalczyk) (github.com) who found the drivers needed in the fosskit published by lenovo itself and created out of tree kernel modules. See the repository here: d235j/lenovoEMC-300d (github.com)
Furthermore the only issue of the repository mentioned the download links to the fosskits of the devices firmware. All i had to do now was implementing the drivers into a recent kernel source.

To integrate the drivers for the display, the sensors and buttons into the linux mainline kernel, I first had to get the kernel sources. I decided to go with the current 5.18 linux kernel sources distributed bv the Debian package repositories. By doing so, I could make sure, the current configuration of the Linux 5.4 kernel - which i know boots and provides serial output on this device - can be reused easily. To download and extract the Linux 5.18 kernel source I simply ran the following commands:

The download as well as the extraction of the archive may take a while. Afterwards I created a new git repository in the directory of the kernel source to be able to track the changes I made to the kernel source. The process of integrating a driver to the kernel sources can be very complex, depending on the driver and its dependencies. In this case it has been fairly simple. Here is a quick summary of my changes:

• Create a new directory for the ums8485md driver in the kernel source tree at drivers/misc
• Copy all driver source files into the newly created directory
• Grab a Makefile and KConfig file from another driver and modify it to match the current driver
• Add the driver to the nescessary KConfig and Makefile files in drivers/misc
• Change the logo that will be displayed once the driver is loaded
• Add a procfs entry to allow writing and reading from the framebuffer directly as well as resetting/refreshing the display

I have published the kernel and the integrated driver to my GitHub repository: mKenfenheuer/linux-image-5.18-px4-300d (github.com)

Now the driver has been integrated into the kernel sources and is ready to be compiled. To compile the kernel, I copied the current kernel source of the default Debian kernel from /boot/config-5.4 to the current directory as .config and ran make oldconfig to check for changed configuration options of the kernel. Once done I made sure that the driver as well as its dependency, the gpio_ich module for the Intel Atom GPIO interface, were enabled using make menuconfig. Now, the configuration was almost ready. To make sure the kernel will compile without errors, I also removed the reference to the kernels trusted system keys by setting CONFIG_SYSTEM_TRUSTED_KEYS = "" to an empty string. To compile ther kernel source into a .deb package which can be easily installed I had to run the following command:

After a few minutes, the kernel was compiled successfully. I copied the sources onto the NAS and installed the packages via dpkg and rebooted the device. After the reboot I was able to see the driver loaded successfully in the kernel output via dmesg.

From now on, I was able to write and read to and from the display framebuffer by using the procfs files located in /proc/ums8485md/. Now I only had to write a quick and dirty program which will display the current status of the device on the display. As this is not in scope of the blog article, I will not go into details here, but you can ofcourse find the source-code as always in my GitHub repository: mKenfenheuer/lenovo-px4px6-displayd (github.com)

With the updated kernel, a recent Debian 11 buster and the display, buttons and leds working all hardware functionalities have been restored. To be able to easily manage the nas again, I decided to install openmediavault.

Here is a video of the display in action: px4-300d-displayd-demo.mp4